Jump to content


Photo
- - - - -

Can't get rid of viruses


  • This topic is locked This topic is locked
76 replies to this topic

#61 fishbone

fishbone

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 January 2006 - 01:56 AM

LOG REMOVED
Please start your own post

#62 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 26 January 2006 - 05:08 AM

i ran cleanup twice with your instructions but the virus is still present in that same folder. i also deleted my aboutbuster and redownloaded it. i ran it in safe mode and got the same "overflow" error. i also ran ewido and ad aware in safe mode. ewido came up woth the same 29 files it always finds. ad aware came up with nothing. it's only when i'm in normal mode that the avast virus found screen comes up when running ad aware. here is a fresh hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:04:24 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#63 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 26 January 2006 - 11:01 PM

Please make sure the realtime protections of SpySweeper are disabled

That file is in your temp folder
That error your getting with About:Buster is being looked into by the developer of the fix
No solution yet I don't believe
Can you do the following please

Download and UNZIP to your desktop from the bottom of this reply box
CWSserviceremove.zip, so you now have cwsserviceremove.reg extracted

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Reboot back to safe mode

Manually navigate too, and delete the WHOLE contents of the temp folders (Including sub-folders)
Do not delete the temp directories themselves

# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Run CleanUp! again in safe mode

Double click on cwsserviceremove.reg and allow to add/merge to the registry

Open RegSeeker.exe
Click on "Clean the registry" in the left menu
Hit OK
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and Delete all selected

Open Hijackthis>>Open Misc tools>>Open ADS Spy...
Click on SCAN, when it's done save the log to your desktop

Reboot back to Normal mode

Post the log from ADS Spy please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#64 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 27 January 2006 - 03:57 AM

Deleted all files in temp and temporary internet folders although 2 would not delete b/c the files were in use.ran cleanup and merged cwsserviceremove.reg. also ran regseeker. here is the ADS spy log. just ran ad aware again and the virus is still there.

C:\WINDOWS\_detmp.2 : aagjuq (11736 bytes)
C:\WINDOWS\_detmp.2 : aaqmhk (0 bytes)
C:\WINDOWS\_detmp.2 : abclxy (0 bytes)
C:\WINDOWS\_detmp.2 : abfcuh (0 bytes)
C:\WINDOWS\_detmp.2 : accrny (0 bytes)
C:\WINDOWS\_detmp.2 : acrarp (0 bytes)
C:\WINDOWS\_detmp.2 : aeayez (11736 bytes)
C:\WINDOWS\_detmp.2 : aefkgw (0 bytes)
C:\WINDOWS\_detmp.2 : aeinmg (0 bytes)
C:\WINDOWS\_detmp.2 : aeutkn (0 bytes)
C:\WINDOWS\_detmp.2 : afczin (0 bytes)
C:\WINDOWS\_detmp.2 : afrime (0 bytes)
C:\WINDOWS\_detmp.2 : agaube (0 bytes)
C:\WINDOWS\_detmp.2 : agauzv (0 bytes)
C:\WINDOWS\_detmp.2 : ahjsin (0 bytes)
C:\WINDOWS\_detmp.2 : ahuhuc (0 bytes)
C:\WINDOWS\_detmp.2 : ahvjfw (0 bytes)
C:\WINDOWS\_detmp.2 : ahxkbl (0 bytes)
C:\WINDOWS\_detmp.2 : aizolz (11152 bytes)
C:\WINDOWS\_detmp.2 : ajckmh (0 bytes)
C:\WINDOWS\_detmp.2 : ajfvsr (0 bytes)
C:\WINDOWS\_detmp.2 : ajqtqy (0 bytes)
C:\WINDOWS\_detmp.2 : ajtwwi (0 bytes)
C:\WINDOWS\_detmp.2 : akejwf (0 bytes)
C:\WINDOWS\_detmp.2 : akpatw (0 bytes)
C:\WINDOWS\_detmp.2 : amcszw (0 bytes)
C:\WINDOWS\_detmp.2 : amfvfg (0 bytes)
C:\WINDOWS\_detmp.2 : amrbcn (0 bytes)
C:\WINDOWS\_detmp.2 : amuejx (0 bytes)
C:\WINDOWS\_detmp.2 : anoqee (0 bytes)
C:\WINDOWS\_detmp.2 : anouyu (11152 bytes)
C:\WINDOWS\_detmp.2 : aokbck (4870 bytes)
C:\WINDOWS\_detmp.2 : aomlvm (0 bytes)
C:\WINDOWS\_detmp.2 : aoxcrv (0 bytes)
C:\WINDOWS\_detmp.2 : apbnme (0 bytes)
C:\WINDOWS\_detmp.2 : apgyrt (0 bytes)
C:\WINDOWS\_detmp.2 : apjjxd (0 bytes)
C:\WINDOWS\_detmp.2 : apuatm (0 bytes)
C:\WINDOWS\_detmp.2 : apuszm (0 bytes)
C:\WINDOWS\_detmp.2 : apzbct (0 bytes)
C:\WINDOWS\_detmp.2 : arjrna (9237 bytes)
C:\WINDOWS\_detmp.2 : arncqn (0 bytes)
C:\WINDOWS\_detmp.2 : asrmdh (0 bytes)
C:\WINDOWS\_detmp.2 : atehuh (11736 bytes)
C:\WINDOWS\_detmp.2 : atqubp (0 bytes)
C:\WINDOWS\_detmp.2 : aulnfd (11736 bytes)
C:\WINDOWS\_detmp.2 : aunjvf (0 bytes)
C:\WINDOWS\_detmp.2 : aurjcz (0 bytes)
C:\WINDOWS\_detmp.2 : auxoly (9237 bytes)
C:\WINDOWS\_detmp.2 : auzpan (0 bytes)
C:\WINDOWS\_detmp.2 : avqlmc (11152 bytes)
C:\WINDOWS\_detmp.2 : awiuoe (0 bytes)
C:\WINDOWS\_detmp.2 : awxvqx (0 bytes)
C:\WINDOWS\_detmp.2 : axcojl (0 bytes)
C:\WINDOWS\_detmp.2 : axneiv (0 bytes)
C:\WINDOWS\_detmp.2 : axrhzm (0 bytes)
C:\WINDOWS\_detmp.2 : axrpnc (0 bytes)
C:\WINDOWS\_detmp.2 : ayoric (11736 bytes)
C:\WINDOWS\_detmp.2 : azqhoj (4870 bytes)
C:\WINDOWS\_detmp.2 : azybmw (0 bytes)
C:\WINDOWS\_detmp.2 : babdet (0 bytes)
C:\WINDOWS\_detmp.2 : baovaa (0 bytes)
C:\WINDOWS\_detmp.2 : bavxst (11736 bytes)
C:\WINDOWS\_detmp.2 : bazmxj (0 bytes)
C:\WINDOWS\_detmp.2 : bblsur (0 bytes)
C:\WINDOWS\_detmp.2 : bbvxvz (11152 bytes)
C:\WINDOWS\_detmp.2 : bcozvz (0 bytes)
C:\WINDOWS\_detmp.2 : bczrri (0 bytes)
C:\WINDOWS\_detmp.2 : bdgdnp (0 bytes)
C:\WINDOWS\_detmp.2 : bdsujy (0 bytes)
C:\WINDOWS\_detmp.2 : bdytsd (11152 bytes)
C:\WINDOWS\_detmp.2 : begeru (0 bytes)
C:\WINDOWS\_detmp.4 : aoauxa (0 bytes)
C:\WINDOWS\_detmp.4 : bfmtqz (0 bytes)
C:\WINDOWS\_detmp.4 : bznuba (0 bytes)
C:\WINDOWS\_detmp.4 : dsdffe (0 bytes)
C:\WINDOWS\_detmp.4 : dvwnrt (0 bytes)
C:\WINDOWS\_detmp.4 : dwfinc (0 bytes)
C:\WINDOWS\_detmp.4 : egpigq (0 bytes)
C:\WINDOWS\_detmp.4 : erhjsg (0 bytes)
C:\WINDOWS\_detmp.4 : ewmjqj (0 bytes)
C:\WINDOWS\_detmp.4 : faluce (0 bytes)
C:\WINDOWS\_detmp.4 : frrrkv (0 bytes)
C:\WINDOWS\_detmp.4 : ftrzxl (0 bytes)
C:\WINDOWS\_detmp.4 : gpomuh (0 bytes)
C:\WINDOWS\_detmp.4 : hblgxn (0 bytes)
C:\WINDOWS\_detmp.4 : igephh (0 bytes)
C:\WINDOWS\_detmp.4 : ilnwkr (0 bytes)
C:\WINDOWS\_detmp.4 : iyihoh (0 bytes)
C:\WINDOWS\_detmp.4 : jgvphx (0 bytes)
C:\WINDOWS\_detmp.4 : jhphtu (0 bytes)
C:\WINDOWS\_detmp.4 : jjuwxc (0 bytes)
C:\WINDOWS\_detmp.4 : jpvivx (0 bytes)
C:\WINDOWS\_detmp.4 : kclzxr (0 bytes)
C:\WINDOWS\_detmp.4 : kkiqqj (0 bytes)
C:\WINDOWS\_detmp.4 : kmorfq (0 bytes)
C:\WINDOWS\_detmp.4 : kwgsqp (0 bytes)
C:\WINDOWS\_detmp.4 : kwudlr (0 bytes)
C:\WINDOWS\_detmp.4 : kwvtuy (0 bytes)
C:\WINDOWS\_detmp.4 : kzlakb (0 bytes)
C:\WINDOWS\_detmp.4 : lpreb (0 bytes)
C:\WINDOWS\_detmp.4 : lqxdqw (0 bytes)
C:\WINDOWS\_detmp.4 : lyiumf (0 bytes)
C:\WINDOWS\_detmp.4 : mhxemm (0 bytes)
C:\WINDOWS\_detmp.4 : moiuao (0 bytes)
C:\WINDOWS\_detmp.4 : mtytdi (0 bytes)
C:\WINDOWS\_detmp.4 : naujlu (197761 bytes)
C:\WINDOWS\_detmp.4 : npintp (0 bytes)
C:\WINDOWS\_detmp.4 : obdgtr (0 bytes)
C:\WINDOWS\_detmp.4 : oespkx (0 bytes)
C:\WINDOWS\_detmp.4 : ogfjco (0 bytes)
C:\WINDOWS\_detmp.4 : pibbdc (0 bytes)
C:\WINDOWS\_detmp.4 : ppelqn (0 bytes)
C:\WINDOWS\_detmp.4 : ptrfuu (0 bytes)
C:\WINDOWS\_detmp.4 : qanbdz (0 bytes)
C:\WINDOWS\_detmp.4 : qcxnyr (0 bytes)
C:\WINDOWS\_detmp.4 : qdfipp (0 bytes)
C:\WINDOWS\_detmp.4 : qmsogi (0 bytes)
C:\WINDOWS\_detmp.4 : qscjhq (0 bytes)
C:\WINDOWS\_detmp.4 : rolvbm (0 bytes)
C:\WINDOWS\_detmp.4 : rqrequ (0 bytes)
C:\WINDOWS\_detmp.4 : rxxajf (0 bytes)
C:\WINDOWS\_detmp.4 : sbelrp (0 bytes)
C:\WINDOWS\_detmp.4 : sufbxq (0 bytes)
C:\WINDOWS\_detmp.4 : svcqrh (0 bytes)
C:\WINDOWS\_detmp.4 : tfmxkv (0 bytes)
C:\WINDOWS\_detmp.4 : tgfykc (0 bytes)
C:\WINDOWS\_detmp.4 : thiidu (0 bytes)
C:\WINDOWS\_detmp.4 : ttlogh (197761 bytes)
C:\WINDOWS\_detmp.4 : uagzek (0 bytes)
C:\WINDOWS\_detmp.4 : ukjyqg (0 bytes)
C:\WINDOWS\_detmp.4 : usupmp (0 bytes)
C:\WINDOWS\_detmp.4 : vgvuil (0 bytes)
C:\WINDOWS\_detmp.4 : vllamw (0 bytes)
C:\WINDOWS\_detmp.4 : vorkbl (0 bytes)
C:\WINDOWS\_detmp.4 : vtwkho (0 bytes)
C:\WINDOWS\_detmp.4 : vvostd (0 bytes)
C:\WINDOWS\_detmp.4 : vxxohe (0 bytes)
C:\WINDOWS\_detmp.4 : whtmxb (0 bytes)
C:\WINDOWS\_detmp.4 : wzowmt (197761 bytes)
C:\WINDOWS\_detmp.4 : xbeieg (0 bytes)
C:\WINDOWS\_detmp.4 : xcyurv (0 bytes)
C:\WINDOWS\_detmp.4 : xkjloe (0 bytes)
C:\WINDOWS\_detmp.4 : xrjemg (0 bytes)

#65 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 27 January 2006 - 08:49 AM

Can you run Killbox.exe
Click on Tools>>>Delete Temp files

Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\_detmp.2

Select the options to "Delete File on Reboot" and "End Explorer Shell While Killing File"

Click the Red Circle with the White X
Confirm to Delete but don't reboot yet
Instead, do the same for this one

C:\WINDOWS\_detmp.4

This time allow to reboot the computer
If you get a Pending operations message
Close it and Restart the computer manually

Back in Windows
Run Hijackthis' ADS Spy again
This time, before running the scan with ads spy
Can you remove the check from "Quick Scan" please

Post the new log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#66 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 28 January 2006 - 04:23 PM

ran killbox and deleted the 2 files and temp files. here is the ads log. ran ad aware again. virus still present.

C:\!KillBox\_detmp.2 : aagjuq (11736 bytes)
C:\!KillBox\_detmp.2 : aaqmhk (0 bytes)
C:\!KillBox\_detmp.2 : abclxy (0 bytes)
C:\!KillBox\_detmp.2 : abfcuh (0 bytes)
C:\!KillBox\_detmp.2 : accrny (0 bytes)
C:\!KillBox\_detmp.2 : acrarp (0 bytes)
C:\!KillBox\_detmp.2 : aeayez (11736 bytes)
C:\!KillBox\_detmp.2 : aefkgw (0 bytes)
C:\!KillBox\_detmp.2 : aeinmg (0 bytes)
C:\!KillBox\_detmp.2 : aeutkn (0 bytes)
C:\!KillBox\_detmp.2 : afczin (0 bytes)
C:\!KillBox\_detmp.2 : afrime (0 bytes)
C:\!KillBox\_detmp.2 : agaube (0 bytes)
C:\!KillBox\_detmp.2 : agauzv (0 bytes)
C:\!KillBox\_detmp.2 : ahjsin (0 bytes)
C:\!KillBox\_detmp.2 : ahuhuc (0 bytes)
C:\!KillBox\_detmp.2 : ahvjfw (0 bytes)
C:\!KillBox\_detmp.2 : ahxkbl (0 bytes)
C:\!KillBox\_detmp.2 : aizolz (11152 bytes)
C:\!KillBox\_detmp.2 : ajckmh (0 bytes)
C:\!KillBox\_detmp.2 : ajfvsr (0 bytes)
C:\!KillBox\_detmp.2 : ajqtqy (0 bytes)
C:\!KillBox\_detmp.2 : ajtwwi (0 bytes)
C:\!KillBox\_detmp.2 : akejwf (0 bytes)
C:\!KillBox\_detmp.2 : akpatw (0 bytes)
C:\!KillBox\_detmp.2 : amcszw (0 bytes)
C:\!KillBox\_detmp.2 : amfvfg (0 bytes)
C:\!KillBox\_detmp.2 : amrbcn (0 bytes)
C:\!KillBox\_detmp.2 : amuejx (0 bytes)
C:\!KillBox\_detmp.2 : anoqee (0 bytes)
C:\!KillBox\_detmp.2 : anouyu (11152 bytes)
C:\!KillBox\_detmp.2 : aokbck (4870 bytes)
C:\!KillBox\_detmp.2 : aomlvm (0 bytes)
C:\!KillBox\_detmp.2 : aoxcrv (0 bytes)
C:\!KillBox\_detmp.2 : apbnme (0 bytes)
C:\!KillBox\_detmp.2 : apgyrt (0 bytes)
C:\!KillBox\_detmp.2 : apjjxd (0 bytes)
C:\!KillBox\_detmp.2 : apuatm (0 bytes)
C:\!KillBox\_detmp.2 : apuszm (0 bytes)
C:\!KillBox\_detmp.2 : apzbct (0 bytes)
C:\!KillBox\_detmp.2 : arjrna (9237 bytes)
C:\!KillBox\_detmp.2 : arncqn (0 bytes)
C:\!KillBox\_detmp.2 : asrmdh (0 bytes)
C:\!KillBox\_detmp.2 : atehuh (11736 bytes)
C:\!KillBox\_detmp.2 : atqubp (0 bytes)
C:\!KillBox\_detmp.2 : aulnfd (11736 bytes)
C:\!KillBox\_detmp.2 : aunjvf (0 bytes)
C:\!KillBox\_detmp.2 : aurjcz (0 bytes)
C:\!KillBox\_detmp.2 : auxoly (9237 bytes)
C:\!KillBox\_detmp.2 : auzpan (0 bytes)
C:\!KillBox\_detmp.2 : avqlmc (11152 bytes)
C:\!KillBox\_detmp.2 : awiuoe (0 bytes)
C:\!KillBox\_detmp.2 : awxvqx (0 bytes)
C:\!KillBox\_detmp.2 : axcojl (0 bytes)
C:\!KillBox\_detmp.2 : axneiv (0 bytes)
C:\!KillBox\_detmp.2 : axrhzm (0 bytes)
C:\!KillBox\_detmp.2 : axrpnc (0 bytes)
C:\!KillBox\_detmp.2 : ayoric (11736 bytes)
C:\!KillBox\_detmp.2 : azqhoj (4870 bytes)
C:\!KillBox\_detmp.2 : azybmw (0 bytes)
C:\!KillBox\_detmp.2 : babdet (0 bytes)
C:\!KillBox\_detmp.2 : baovaa (0 bytes)
C:\!KillBox\_detmp.2 : bavxst (11736 bytes)
C:\!KillBox\_detmp.2 : bazmxj (0 bytes)
C:\!KillBox\_detmp.2 : bblsur (0 bytes)
C:\!KillBox\_detmp.2 : bbvxvz (11152 bytes)
C:\!KillBox\_detmp.2 : bcozvz (0 bytes)
C:\!KillBox\_detmp.2 : bczrri (0 bytes)
C:\!KillBox\_detmp.2 : bdgdnp (0 bytes)
C:\!KillBox\_detmp.2 : bdsujy (0 bytes)
C:\!KillBox\_detmp.2 : bdytsd (11152 bytes)
C:\!KillBox\_detmp.2 : begeru (0 bytes)
C:\!KillBox\_detmp.4 : aoauxa (0 bytes)
C:\!KillBox\_detmp.4 : bfmtqz (0 bytes)
C:\!KillBox\_detmp.4 : bznuba (0 bytes)
C:\!KillBox\_detmp.4 : dsdffe (0 bytes)
C:\!KillBox\_detmp.4 : dvwnrt (0 bytes)
C:\!KillBox\_detmp.4 : dwfinc (0 bytes)
C:\!KillBox\_detmp.4 : egpigq (0 bytes)
C:\!KillBox\_detmp.4 : erhjsg (0 bytes)
C:\!KillBox\_detmp.4 : ewmjqj (0 bytes)
C:\!KillBox\_detmp.4 : faluce (0 bytes)
C:\!KillBox\_detmp.4 : frrrkv (0 bytes)
C:\!KillBox\_detmp.4 : ftrzxl (0 bytes)
C:\!KillBox\_detmp.4 : gpomuh (0 bytes)
C:\!KillBox\_detmp.4 : hblgxn (0 bytes)
C:\!KillBox\_detmp.4 : igephh (0 bytes)
C:\!KillBox\_detmp.4 : ilnwkr (0 bytes)
C:\!KillBox\_detmp.4 : iyihoh (0 bytes)
C:\!KillBox\_detmp.4 : jgvphx (0 bytes)
C:\!KillBox\_detmp.4 : jhphtu (0 bytes)
C:\!KillBox\_detmp.4 : jjuwxc (0 bytes)
C:\!KillBox\_detmp.4 : jpvivx (0 bytes)
C:\!KillBox\_detmp.4 : kclzxr (0 bytes)
C:\!KillBox\_detmp.4 : kkiqqj (0 bytes)
C:\!KillBox\_detmp.4 : kmorfq (0 bytes)
C:\!KillBox\_detmp.4 : kwgsqp (0 bytes)
C:\!KillBox\_detmp.4 : kwudlr (0 bytes)
C:\!KillBox\_detmp.4 : kwvtuy (0 bytes)
C:\!KillBox\_detmp.4 : kzlakb (0 bytes)
C:\!KillBox\_detmp.4 : lpreb (0 bytes)
C:\!KillBox\_detmp.4 : lqxdqw (0 bytes)
C:\!KillBox\_detmp.4 : lyiumf (0 bytes)
C:\!KillBox\_detmp.4 : mhxemm (0 bytes)
C:\!KillBox\_detmp.4 : moiuao (0 bytes)
C:\!KillBox\_detmp.4 : mtytdi (0 bytes)
C:\!KillBox\_detmp.4 : naujlu (197761 bytes)
C:\!KillBox\_detmp.4 : npintp (0 bytes)
C:\!KillBox\_detmp.4 : obdgtr (0 bytes)
C:\!KillBox\_detmp.4 : oespkx (0 bytes)
C:\!KillBox\_detmp.4 : ogfjco (0 bytes)
C:\!KillBox\_detmp.4 : pibbdc (0 bytes)
C:\!KillBox\_detmp.4 : ppelqn (0 bytes)
C:\!KillBox\_detmp.4 : ptrfuu (0 bytes)
C:\!KillBox\_detmp.4 : qanbdz (0 bytes)
C:\!KillBox\_detmp.4 : qcxnyr (0 bytes)
C:\!KillBox\_detmp.4 : qdfipp (0 bytes)
C:\!KillBox\_detmp.4 : qmsogi (0 bytes)
C:\!KillBox\_detmp.4 : qscjhq (0 bytes)
C:\!KillBox\_detmp.4 : rolvbm (0 bytes)
C:\!KillBox\_detmp.4 : rqrequ (0 bytes)
C:\!KillBox\_detmp.4 : rxxajf (0 bytes)
C:\!KillBox\_detmp.4 : sbelrp (0 bytes)
C:\!KillBox\_detmp.4 : sufbxq (0 bytes)
C:\!KillBox\_detmp.4 : svcqrh (0 bytes)
C:\!KillBox\_detmp.4 : tfmxkv (0 bytes)
C:\!KillBox\_detmp.4 : tgfykc (0 bytes)
C:\!KillBox\_detmp.4 : thiidu (0 bytes)
C:\!KillBox\_detmp.4 : ttlogh (197761 bytes)
C:\!KillBox\_detmp.4 : uagzek (0 bytes)
C:\!KillBox\_detmp.4 : ukjyqg (0 bytes)
C:\!KillBox\_detmp.4 : usupmp (0 bytes)
C:\!KillBox\_detmp.4 : vgvuil (0 bytes)
C:\!KillBox\_detmp.4 : vllamw (0 bytes)
C:\!KillBox\_detmp.4 : vorkbl (0 bytes)
C:\!KillBox\_detmp.4 : vtwkho (0 bytes)
C:\!KillBox\_detmp.4 : vvostd (0 bytes)
C:\!KillBox\_detmp.4 : vxxohe (0 bytes)
C:\!KillBox\_detmp.4 : whtmxb (0 bytes)
C:\!KillBox\_detmp.4 : wzowmt (197761 bytes)
C:\!KillBox\_detmp.4 : xbeieg (0 bytes)
C:\!KillBox\_detmp.4 : xcyurv (0 bytes)
C:\!KillBox\_detmp.4 : xkjloe (0 bytes)
C:\!KillBox\_detmp.4 : xrjemg (0 bytes)
C:\WINDOWS\system32 : pbaa.dll (3584 bytes)
C:\WINDOWS\system32 : pbaa.dll (3584 bytes)
C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\AGRSMMSG.exe : cgwbwj (3567 bytes)

#67 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 January 2006 - 11:53 AM

Sorry for the delay

Can you try the following please
From below, download and unzip to the desktop fix3.zip so you now have fix3.reg extracted

Check for updates with Ewido, don't run a scan yet
Check for updates with Ad-Aware, don't run a scan yet

Can you run Killbox.exe
Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\system32\pbaa.dll

Select the options to "Delete File on Reboot"
"End Explorer Shell While Killing File"
"Unregister .dll before deleting"

Click the red circle white x button
Allow to delete on reboot
and then reboot now

Please boot into safe mode

In safe mode
Can you double click on fix.reg and allow to add/merge to the registry

Can you delete the folder created by Killbox
C:\!KillBox <-this folder

Run a complete scan with Ewido afterwards
Save the log when it's done

Can you open the Open the WinPFind folder you extracted to desktop earlier
Double click on WinPFind.exe
Click START SCAN
When it's done just close out

Reboot back to Normal mode

Can you run the scan with Ad-Aware again
When the scan is done Save A Report please

Come back here and post the report from ad-aware
Could you also post the report from Ewido's
Post the results of the WindPFind.txt located in the WinPFind folder
Can you also run ads-spy from hijackthis one more time and post the log

In addition: Can you run a search on this computer for
cgwbwj
Let me know if anything shows up please, if so, at what location

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#68 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 29 January 2006 - 05:11 PM

downloaded and unzipped fix3. ran killbox and deleted the file. also deletd killbox folder. ran ad aware and it didn't find the file this time so we must've got it. also, searched for cgwbwj and it wasn't found. when i ran hjt ads the scan screen was blank and it wouldn't save a logfile so i assume it came up with nothing.
here are the logs you requested.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:27:37 PM, 1/29/2006
+ Report-Checksum: 562370BB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-